Monday, April 27, 2015

Threat Spotlight: TeslaCrypt - Decrypt It Yourself

This post was authored by: Andrea Allievi, Earl Carter & Emmanuel Tacheau

Update 4/28: Windows files recompiled with backward compatibility in Visual Studio 2008

Update 5/8: We've made the source code available via Github here

After the takedown of Cryptolocker, we have seen the rise of Cryptowall. Cryptowall 2 introduced “features” such as advanced anti-debugging techniques, only to have many of those features removed in Cryptowall 3. Ransomware is becoming an extremely lucrative business, leading to many variants and campaigns targeting even localized regions in their own specific languages. Although it is possible that these multiple variants are sponsored by the same threat actor, the most likely conclusion is that multiple threat actors are jumping in to claim a portion of an ever increasing ransomware market. One of the latest variants is called TeslaCrypt and appears to be a derivative of the original Cryptolocker ransomware. Although it claims to be using asymmetric RSA-2048 to encrypt files, it is making use of symmetric AES instead. Talos was able to develop a tool which decrypts the files encrypted by the TeslaCrypt ransomware.

TeslaCrypt-1




At the first glance, the dropper appears to be related to the original CryptoLocker. The malware states that data files, such as photos, videos and documents on the victim’s computer have been encrypted with the RSA-2048 asymmetric algorithm. As we shall see, that statement is not entirely accurate.

Targeting files that users value highly makes ransomware very effective at getting users to pay the ransom. TeslaCrypt is interesting because it also targets and encrypts computer games files, such as saved games and Steam activation keys. This means that TeslaCrypt is targeting many different types of users, including PC gamers. Just like irreplaceable photos, a game save, which is the product of countless hours of gaming, is extremely valuable and hard to replace.

We have analysed two samples of TeslaCrypt, the first dated March 2015 and the second dated April 2015. Their SHA256 are:

  • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
  • 6c6f88ebd42e3ef5ca6c77622176183414d318845f709591bc4117704f1c95f4

Both samples implement the following hashing algorithms:

  • SHA1
  • SHA256
  • RIPEMD160
  • BASE58
  • BASE64

Infection Vector And Setup Function


This ransomware is usually distributed as an email attachment or through websites that redirect the victim to the Angler Exploit Kit. In our analysis, the exploit kit delivered a malicious Flash object containing an exploit against CVE-2015-0311. The payload for this exploit was a TeslaCrypt sample.

We are only going to give a quick introduction on the dropper’s architecture and the setup function because this functionality has been widely covered.

Most TeslaCrypt samples use COM+ sandbox evasion techniques. For example, the dropper we analysed uses simple detection code that verifies if the “URLReader2” COM interface has been correctly installed in the DirectShow filter graph list:

TeslaCrypt-GraphList


If the check passes, the real dropper is extracted and executed using a well-known method that makes use of the ZwMap(Unmap)ViewOfSection API functions to unmap the original PE memory image and re-map another image file. The final unpacked executable locates specific Windows directories such as the Application Data directory, and builds support files like the “key.dat” file, and files to store decryption instructions. The executable also adjusts its own privileges (adds “SeDebugPrivilege”) and copies itself using a random file name to the user’s Application Data directory. A new process is then spawned and execution is transferred to it. The original dropper file is deleted. The main malware window is created and five threads are spawned, followed by the window message dispatching cycle.

TeslaCrypt threads perform the following:

  • Delete all system Volume Shadow Copies by executing “vssadmin.exe delete shadows /all /quiet” command
  • Open the “key.dat” file and recover encryption keys. If “key.dat” file doesn’t exist, create the keys and store them in an encrypted form in the “key.dat” file.
  • Send the new master encryption key to the C&C server through POST request (the latest sample that we have analysed contains the following C&C server URLs:
    • 7tno4hib47vlep5o.63ghdye17.com
    • 7tno4hib47vlep5o.79fhdm16.com
    • 7tno4hib47vlep5o.tor2web.blutmagie.de
    • 7tno4hib47vlep5o.tor2web.fi
  • Implement anti-tampering protection: every 200 milliseconds, TeslaCrypt enumerates all running processes and if a process with a filename that contains any of the words below is found, that process is terminated using the TerminateProcess Windows API function
    • taskmgr
    • procexp
    • regedit
    • msconfig
    • cmd.exe

File Encryption - Introduction


After the initialization routine and the deletion of the Volume Shadow copies, the sample creates the “key.dat” file where it stores all the encryption keys. The dropper from March 2015 calculates at least 2 different main keys: a payment key and a master encryption key. The other dropper implements the concept of an additional key known as the “Recovery key’.

“GetAndHashOsData” is the function responsible for creating the base buffer for the generation of all keys. At startup it acquires the following info:

  • the global workstation’s LAN network statistics, using the NetStatisticsGet API function
  • 64 random bytes generated by Windows Crypto functions
  • all heap descriptors of its own process
  • all active process descriptors and the threads descriptors of each process
  • all loaded modules in each process
  • the workstation’s physical memory information
 Once the data is acquired, it generates a big array of SHA1 values, one for every 20 bytes of acquired data. At the end it calculates and stores a global SHA1 value for the entire array, in a symbol that we have called “g_lpGlobalOsDataSha1”.

With these 2 items, the “FillBuffWithEncryptedOsData” routine is able to fill a generic buffer with the calculated data, in a pseudo-random manner. A master key and a payment key are generated using this function (each key is 32 bytes wide), their SHA256 is calculated and finally a custom algorithm is used to shift left and shift right the 2 keys. The two shifted SHA256 values are stored in the “key.dat” file.

The Key File


The “OpenKeyFileAndWrite” routine tries to open the “key.dat” file, located in the user’s Application Data directory. If it doesn’t exist, it generates the 2 master keys (3 in case of the most recent dropper) as well as other keys, and stores them in the key file.

Here is a little schema of the layout of the “key.dat” file:

TeslaCrypt-Keydat
* = We currently don’t know precisely how this value is used by TeslaCrypt

The latest version of the dropper creates a “RECOVERY_KEY.TXT” file inside the user’s document directory. It does this to achieve a particular goal: if the victim workstation is offline or if a firewall blocks the communication with the C&C server, the dropper will proceed with the destruction of the master key inside the “key.dat” file, after the encryption of all files has been completed. To recover the files, the user would have to connect to the threat actor’s TOR website and provide the recovery key. The threat actors use a custom algorithm to to recover the master key from the recovery key:

TeslaCrypt-2



The recovery key file contains 3 pieces of information in an human-readable form, separated by a carriage return character:

  • The Bitcoin address
  • The payment key ID (32 hex digits)
  • The recovery key (64 hex digits)

The File Encryption Algorithm


File encryption is performed in a dedicated thread. The code for the encryption thread takes the shifted master key, calculates its SHA256 hash and starts to enumerate all files of the victim workstation (filtering by extension type, Tesla Crypt supports over 170 different file extensions).

“EncryptFile” is the function that manages the entire file-encryption process. It:

  • generates a 16-bytes Initialization Vector for AES, using the GetAndHashOsData API function
  • reads the target file
  • initializes the AES encryption algorithm through the creation of the AES context data structure
  • finally encrypts the contents of the file using an AES CBC 256-bit algorithm implemented in the “EncryptWithCbcAes” function.
When the process is complete, the new encrypted file is created. The new file contains a small header (composed of the AES Initialization Vector in its first 16 bytes followed by the original file size in the next 4 bytes), and then the actual encrypted bytes.



The pop up window displays misleading information: the encryption method is a symmetric AES, and not an asymmetric RSA-2048 as stated by TeslaCrypt in the screenshot above. As proof that TeslaCrypt is truly using symmetric AES and not asymmetric RSA, we provide for a decryption utility capable of decrypting all the files encrypted by this ransomware (provided you have the master key).

The Talos TeslaCrypt Decryption Tool


Our decryption utility is a command line utility. It needs the “key.dat” file to properly recover the master key used for file encryption. Before it begins execution, it searches for “key.dat” in its original location (the user’s Application Data directory), or in the current directory. If it isn’t able to find and correctly parse the “key.dat” file, it will return an error and exit.

Click for Larger Image


To use this tool, just copy the “key.dat” file into the tool’s directory and then specify either the encrypted file or a directory containing encrypted files. That’s it! Files should be decrypted and returned to their original content.

Here is the list of command line options:

  • /help - Show the help message
  • /key - Manually specify the master key for the decryption (32 bytes/64 digits)
  • /keyfile - Specify the path of the "key.dat" file used to recover the master key.
  • /file - Decrypt an encrypted file
  • /dir - Decrypt all the ".ecc" files in the target directory and its subdirs
  • /scanEntirePc - Decrypt ".ecc" files on the entire computer
  • /KeepOriginal - Keep the original file(s) in the encryption process
  • /deleteTeslaCrypt - Automatically kill and delete the TeslaCrypt dropper (if found active in the target system)
Back up your encrypted files before you use this utility. Provided without any guarantees.

Link to the Tool


The TeslaCrypt Decryption Tool is provide as-is and is not officially supported.  The user assumes all liability for the use of the tool.

Windows binary: https://github.com/vrtadmin/TeslaDecrypt/tree/master/Windows

IOCs


Hashes:
3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
6c6f88ebd42e3ef5ca6c77622176183414d318845f709591bc4117704f1c95f4

IP Addresses:
38.229.70.4
82.130.26.27
192.251.226.206

Domains Contacted:
7tno4hib47vlep5o.63ghdye17.com
7tno4hib47vlep5o.79fhdm16.com
7tno4hib47vlep5o.tor2web.blutmagie.de
7tno4hib47vlep5o.tor2web.fi

ThreatGrid has also added a behavioral indicator to identify TeslaCrypt.

Click for Larger Image


Conclusion


Analysing TeslaCrypt ransomware was a challenge. All the encryption and hashing algorithms in the dropper made the analysis pretty difficult. As we have seen, sometimes the threat actors authors even lie. Nevertheless, ransomware continues to plague users. Incorporating a layered defense is critical to combating this type of threat before it has the chance to encrypt files. A good system backup policy is the best way to recover files that have been hijacked.

coveragetable
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

ESA can block malicious emails including phishing and malicious attachments sent by threat actors as part of their campaign.

205 comments:

  1. Oh my, do you guys ROCK!

    ReplyDelete
  2. I had this bloody take over my PC, killed all my music, videos, pdfs and photos etc was well hacked off, fortunataly I had a backup of everything on external hard drive (not plugged in at the time ells that would of been done as well) so only lost a few phone photos, did a fresh re-install of Windows and other software) to be sure it was gone and all was good all be it half a day to install updates to Windows 7 ultimate 64 bit ! A note to others always backup your data if you want to keep it safe, do this on 2 drives and stick 1 round your folks house periodicly rotate them to keep both up to date, just incase of fire or flood etc. I learnt the hard way 10 years back, will never make that mistake again ! its not a question of IF but WHEN !

    ReplyDelete
  3. Hey guys
    I have been infected by this evil ransomware and was about to pay for decryption when I found your awesome blog.
    I have tried running the Windows binary .exe but the master key has gone.
    How confident are you that you will be able to write an algorithm to recover the master key from the recovery key and if so how long will it likely take?
    Thanks

    ReplyDelete
  4. That is extremely unlikely. The vulnerability here is that the threat actor implemented the encryption algorithm using symmetric keys. If the key is missing this method will not work. I would recommend you restore from backup.

    ReplyDelete
  5. Hi Craig
    Foolishly I do not have a backup. I had all of my files on a NAS drive which I had mirrored thinking that all I was protecting against was a drive failure or hackers trying to steal information. I have thousands of photos that are very important to me so it looks like I have no choice but to pay the ransom. As soon as I get my files back I shall be backing up to the cloud and an external hard drive.

    ReplyDelete
  6. Remember even if you pay the ransom there is no guarantee the files are going to decrypt properly - there is also no guarantee that the malware is actually removed.

    ReplyDelete
  7. True but I don't have much choice. I have run McAfee Stinger to remove the Malware. I will reformat my HDD and start again as an additional precaution. So long as I get my files back I will be relieved.

    ReplyDelete
  8. I am not familiar with that product. If it has the concept similar to quarantined files you may want to check there for the keyfile. It is possible it was classified as malware since the malware produced it. Good luck.

    ReplyDelete
  9. Thank you for providing a glimmer of hope in regards to crytolocker. I have a school that was devastated by the event.

    ReplyDelete
  10. This tool we developed is specifically for TeslaCrypt. It will not work for CryptoLocker.

    ReplyDelete
  11. Is it possible to get a copy of TeslaCrypt for testing purposes?

    ReplyDelete
  12. Is there any ransomware using RSA Asymmetric enrcyption?

    ReplyDelete
  13. Why not run data recovery to restore the key.DAT file? Assuming that this file is not sdeleted.

    ReplyDelete
  14. I tried to run the WIN binary but got back error
    "Not valid WIn32 application"

    an sugest please

    ReplyDelete
  15. Possibly. Search for the hash on malwr.com.

    I do the same thing myself to test new firewall and av signatures, but on a segregated network.

    ReplyDelete
  16. Hi,
    I tried using you tool but on infected machine (windows xp) I recive error TeslaDecrypter is not valid win32 application. Then I copied key.dat file from infected machine on other pc with windows 7 64bit. When I tried run the tool I recive "Warning! The "key.dat" file doesn't include the master key."...
    Any suggestion for next steps?
    Thanks,
    Dushan

    ReplyDelete
  17. It means that your "key.dat" file doesn't include your master key. That key has been already encrypted in the recovery key (and sent to the C&C server) with an Elliptic Curve cryptography.

    Andrea

    ReplyDelete
  18. Great, works like charm, only few files (not important like eula.xxx.txt.ecc) not imported. All my files was decrypted. key.dat file was complete with all keys :)

    ReplyDelete
  19. Christopher GurneeApril 28, 2015 at 12:33 AM

    Andrea,

    If you determine it's impossible to restore the master key from the recovery key alone (e.g. if it's encrypted via ECIES or some other asymmetric cipher), do you intend to update the blog post with the technical details of your findings?

    (BTW great work!!)

    ReplyDelete
  20. Hi Andy,

    It is a CLI utility. You will need to verify the sha256 and run it from the command line.

    ReplyDelete
  21. "Warning! The "key.dat" file doesn't include the master key."
    Still no solution for this case or?

    ReplyDelete
  22. Hi Cisco

    Can you please update your script to Decrypt *.EZZ files too?
    I have to rename my .ezz files in order to decrypt them.
    I've got the key.dat file

    ReplyDelete
  23. I have the same problem. One of our computers is still on XP and the virus encrypted the local hard drive and the backup which was attached to the computer. The decryption tool states to use the command line option, however whenever you press a key the decryption tool closes. Any help would be GREATLY appreciated.

    ReplyDelete
  24. This may be due to the version of visual studio it was compiled with. We'll be updating the windows binary shortly with a older more backwards compatible version that should work with XP and newer.

    ReplyDelete
  25. Craig,
    Great thank you very much for your quick response it is much appreciated.

    ReplyDelete
  26. I cannot run it on XP? Please assist. I have a huge amount of files that have been affected. Will appreciate your assistance.

    ReplyDelete
  27. How do you verify the SHA 256, keep getting an error indicating that its not a Valid win32 application ?

    ReplyDelete
  28. If you have the original file and an encrypted file would it be possible to find out the master key?

    ReplyDelete
  29. Reporting a similar issue to this. Client's files have been locked and extension suffix added as .EZZ

    Key.dat is available and in the same reported location. All other symptoms are present.

    ReplyDelete
  30. No it does not work!

    For those seeking help - ignore Will's spam

    That software does not decrypt files. It doesn't even remove the malware ... unless you pay!
    (You'll also have difficulty removing the software if you do install it, even the free version)

    The teslacrypt malware can be removed for free using something like malwarebytes anti-malware, and then hopefully this cisco tool will then decrypt the files for you ... all for no charge.

    ReplyDelete
  31. For the sake of completeness, by earlier comment is in reply to post by Will Read April 28, 2015 at 10:33 am

    Do not confuse with the great work being done here :)

    ReplyDelete
  32. Be aware we've updated the Windows files. They have been recompiled with backward compatibility in Visual Studio 2008.

    ReplyDelete
  33. I don't know how to verify SHA 256 in win XP same problem here. If I extracted files and copy to USB stick +key.dat and open in
    WIN7 work ok but seems I don't have master key in key.dat

    In win XP I could not open allways not valid for win32...

    ReplyDelete
  34. I just tested newer version I can confirm that work in XP.
    I can see the report in created TeslaDecrypter TXT file

    20:15:37 - ReadKeyFile - Warning! The master key inside the "C:\Documents and Settings\....\Application Data\key.dat" file is stripped down. Unable to import the master key. To recover the master key from the recovery key please use a newer version of this tool.

    Many thanks to your great work please keep going to find master key...

    ReplyDelete
  35. UPDATE - Renaming encrypted files from .EZZ to .ECC is the fix. The Cisco tool doesn't recognize new variant of .EZZ

    ReplyDelete
  36. Thank you Craig.

    I can confirm this latest tool works in XP.

    Unfortunately for me, the key.dat file does not contain the Master Key. I guess the clue was there in that the file was last modified once all my other files were encrypted.

    ReplyDelete
  37. How do I run with Python file ?

    ReplyDelete
  38. Hi , I was hit by this virus on Saturday the 25th of April , I have been able to stabilize my computer and remove the virus ,I tried your decrypter but it says my key.dat wasn't there , I then used a data recovery program and I think I might have found it but because it is also partially encrypted I am not sure . If I send a snapshot of the file I found could you tell me if this is in fact my private key ?,
    Thanks for any help I would love to regain all my lost files, or even some of them,
    Julie

    ReplyDelete
  39. Dear Craig,

    How do i solve the below error??? Please i need assistance. I am on XP.

    Warning! The "key.dat" file doesn't include the master key.
    This is a quite common situation because TeslaCrypt has already deleted it
    to proper mantain its stealth.
    This version of the decryptor doesn't include the algorithm needed to recover
    the Master key from the Recovery key.
    Please use a newer version of the tool.

    Error! I was not able to recover the TeslaCrypt Master key!
    Try to use the command line.

    Press any key to exit...

    ReplyDelete
  40. The new version does run on XP now which is great. Unfortunately for me it just cant find the master key. I have the recovery_key text file and the restore text file.

    ReplyDelete
  41. Hi,

    How likely is it that you will be able to update the tool to support the recovery key algorithm?

    ReplyDelete
  42. Team,

    Will highly appreciate if we can get the work around for the error we are getting below. Keep up the good work.

    ReadKeyFile - Warning! The master key inside the "C:\Documents and Settings\Fahim\Application Data\key.dat" file is stripped down. Unable to import the master key. To recover the master key from the recovery key please use a newer version of this tool.

    ReplyDelete
  43. Hi.
    I found the key.dat and recovery_key.txt files, created at the same time.
    The tool doesn't work copying the key.dat file in tool's directory.
    Can i obtain a result with the recovery_key file?
    thanks.

    ReplyDelete
  44. Hi Talos, thank you very much for this tool. I cannot run it on a Windows 7 Professional SP1 box: every time it crashes after I enter the filename to decrypt. Dependency walker claims I miss some modules: API-MS-WIN-APPMODEL-RUNTIME-L1-1-0.DLL, API-MS-WIN-CORE-WINRT-L1-1-0.DLL and many others. I installed VC++ 2012 and 2013 redist with no luck. How can I fix it?
    Thank you

    ReplyDelete
  45. Talos, hope we can tackle the issue below soon. Please advise on way forward. Keep up the good work.


    ReadKeyFile - Warning! The master key inside the "C:\Documents and Settings\Fahim\Application Data\key.dat" file is stripped down. Unable to import the master key. To recover the master key from the recovery key please use a newer version of this tool.

    ReplyDelete
  46. Thank You for this!

    I have managed to decrypt 6Gb of a customers photos that had not been backed up!!!

    ReplyDelete
  47. Hi Nathan,

    I have spammed that comment. We cannot verify the validity of 3rd party tools.

    ReplyDelete
  48. I have an infection with TeslaCrypt that has dropped .ezz files in stead of .ecc, as far as I can tell your command line tool works, but does not see the .ezz files as needing decryption. Is there a quick fix for that?

    ReplyDelete
  49. Hello Craig, Please assist with "file is stripped down. Unable to import the master key. To recover the master key from the recovery key please use a newer version of this tool" error. I have a so many files i need to recover.

    Thanks in advance.

    ReplyDelete
  50. Sorry! DIdn't read through all the comments. Thanks for all the great work!

    ReplyDelete
  51. Hi Fahim,

    At this point in time the tool does not have that functionality.

    ReplyDelete
  52. I came across this on a customers computer but before I found this blog I'd already re-formatted the PC! I have kept all his encrypted personal files, pictures etc. The key.dat file and all other files associated with Teslacrypt are gone though. Is there going to be a tool that can decrypt his files without relying on the key.dat file or recovery_key.txt file??

    ReplyDelete
  53. Respect guys , really and thank You !

    But fuckers creating such a shit should be terminated immediately.

    ReplyDelete
  54. Just use batch utility for changing extensions , works.

    ReplyDelete
  55. We got hit with an updated version of this today. How do I get u a sample to see If its different than the one u posted.
    The one we caught is a little different than this post

    ReplyDelete
  56. If the Key.DAT file is gone already, I'm SOL, right?

    ReplyDelete
  57. Wonder if there is any update on the tool version yet?

    ReplyDelete
  58. What can be done if the files where saved to a external hard drive then the computer was wiped and had Windows reinstalled.. Is there still a way to decrypt these files?

    ReplyDelete
  59. Hi Craig,

    Are you still working on implementing this functionality?

    ReplyDelete
  60. IT WORKED!!!!!
    THANK YOU!!!!!

    ReplyDelete
  61. I have the same problem with the key being stripped. Would be great if you could get the recovery key working. Many thanks for everything you have done so far!

    ReplyDelete
  62. A customer was hit with a variant of this today with an XP machine. The files affected had the .ezz estension added. I ran a batch conversion and changed the file extensions to .ecc . I then ran the tool (4/28 version) which converted all the files and reported sucess. None of the converted files worked.
    My log shows that I missed the (key.dat file is stripped down) error message.
    Please let me know when a updated version is available.

    ReplyDelete
  63. Renaming the files from .ezz to .ecc won't work.. I'm waiting anxiously for any breakthroughs. Thanks

    ReplyDelete
  64. Hi Craig,
    We just got wacked by this thing and don't have a viable key.dat file. Are you guys working on having the tool be able to restore files with the stripped down key?

    ReplyDelete
  65. Usually it should take how many days or weeks in order to deal with this ransomware. It definitely a nightmare for a lot of those PC user who their file get encrypted. Everyone is crying for a solution.

    ReplyDelete
  66. Hi, my key dosen't include the master key, so i wonder if there is possibility to get key if i have a few original, not crypted files and the same files crypted?

    ReplyDelete
  67. Hello,

    Today we have discovered a lot of files with EZZ extension. For a lot of files we have backup, but some not. We have tried the teslacrypt tool, but no success:

    Warning! The "key.dat" file doesn't include the master key.
    This is a quite common situation because TeslaCrypt has already deleted it
    to proper mantain its stealth.
    This version of the decryptor doesn't include the algorithm needed to recove
    the Master key from the Recovery key.
    Please use a newer version of the tool.

    Error! I was not able to recover the TeslaCrypt Master key!
    Try to use the command line.

    Any idea how to fix this and decrypt the files?

    Regards,
    Webmagic

    ReplyDelete
  68. MARAVILLOSO!!!!

    ME SALVARON LA VIDA

    ReplyDelete
  69. Hi Talos Group, Just got this on a clients XP machine - encrypted files with ezz extension. On a pc and a server.
    Is there going to be an updated version of your tool to decrypt the the ezz files?
    Client is literally crying!!

    ReplyDelete
  70. I am asking this again, but why not run data recovery to restore the key.DAT file? Assuming of course, that this file has not been securely deleted.

    ReplyDelete
  71. Have you attempted to use a software data recovery tool to recover this file?

    ReplyDelete
  72. Hello. My institution has also been hit by this. We have downloaded and run this tool. The tool indicated that it completed successfully and the icons for the encrypted files changed back to the appropriate image. However, when we try to access those files, we get errors saying that the files are currupted. Any suggestions on what we need to do differently?

    ReplyDelete
  73. This blog helped me recover almost 20,000 files and save my a$$ from getting canned. I learned a valuable lesson. ALWAYS BACKUP. BTW. I formatted the PC before I read this post and went back and recovered the key.dat file with the demo version of R-Studio.

    ReplyDelete
  74. i am trying to use Panda Ransomware, i have the original file and the encrypted one but it cant find the key too.

    ReplyDelete
  75. +1 for version 0.2. key.dat has no master key

    ReplyDelete
  76. What to do with this error? We have the key.dat

    Warning! The "key.dat" file doesn't include the master key

    ReplyDelete
  77. Are you guys working on having the tool be able to restore files with the stripped down key? I think this really needed.

    Thanks for your great work!

    ReplyDelete
  78. Fabulous posting bro. Fairly sure he can possess a good read.
    asos prom dress http://www.asosdresses.net/prom-dresses_c86.html

    ReplyDelete
  79. Malware like this are a good reason to deploy an IPS rather than a typical firewall/router solution, and make the case for specifically why I've used an IPS for several years now. My IPS, aside from doing the job of a normal firewall, also intelligently detects and responds against malware, botnets and attempted breaches of security. But then again, I also don't play many PC games anymore... too busy, mainly, with work. Still, in my line of work, I'm basically on the front lines of cyber warfare, so when I say that an IPS will mitigate crap like TeslaCrypt, listen up because it's good advice. I realize that not everyone understands technology enough to deploy an IPS, but in those cases one can be purchased, or built out by a friend, or something like that. I'm sure there are a few struggling PC repair shops around that would be more than happy to convert a P4 or early Athlon64 into a pfSense IPS/Firewall, and probably for a fairly low fee. If someone supplies the hardware, I'll build one out for $50, because it doesn't take me even a half hour to prep one.

    ReplyDelete
  80. We are having the *.ezz variant, and the tools says it's been recovered, but files still does not work. Any updates/idea?

    ReplyDelete
  81. I found the key.dat file and placed a few encrypted ezz files in a test directory.

    When I ran tesladecrypter it was able to find the master key but not the ezz files. Then I realized it was looking for ecc files, not ezz (all my files are ezz).

    when I changed the file extensions from ezz to ecc the command processed all the files, but ultimately the files were garbled, as if it was using the wrong decryption key.

    Any suggestions? Thanks.

    ReplyDelete
  82. For information only to those who have a .ezz file extention, rather than the .ecc file extention.

    If your encrypted files have a .ezz extention, you were probably infected a new variant of TeslaCrypt, dubbed Alpha Crypt.
    http://www.bleepingcomputer.com/forums/t/574900/teslacrypt-ransomware-changes-its-name-to-alpha-crypt/

    ReplyDelete
  83. It would appear, based on the comments above and comments left on that other site, that whilst renaming the .ezz files to .ecc, (and you have the master key!) the Talos Teslacrypt Decryptor tool is fooled into thinking it successfully decrypts your encrypted file ... but it hasn't, at least not correctly. If you try this yourself, I would suggest you keep a copy of the original encrypted file first, to use later should a more successful solution be then found for you.

    ReplyDelete
  84. Renaming ezz to ecc has not worked in my case

    ReplyDelete
  85. Thank you for working to counteract these evildoers! I have seen that there are several ransomwares that have now been cracked. As a victim of Cryptowall2, I am hoping that you or others may eventually be able to crack that one as well so those of us who were hit by it can retrieve our files. Thanks for your efforts.

    ReplyDelete
  86. Hello, we´ve exectute the script and our log contains that:



    Talos TeslaCrypt Decryptor 0.1
    Execution time: 04/05/2015 - 19:31
    19:31:39 - Successfully imported the master key "BAB95468226816739DEC8422B23B7910A0F2E347C8B1E1E954BAAC1CBE91F118" from "C:\Documents and Settings\farmacia-alm\Mis documentos\TeslaDecrypt_exe\key.dat" file.
    19:31:39 - SearchForTeslaCryptProcess - No active TeslaCrypt process found in this system!
    19:31:51 - DecryptDirectory - Processing "C:\" directory (Recursive: True, Strip file extensions: True)...


    Our extensions are ezz, and we changed them and the error persits.

    Thanks.

    ReplyDelete
  87. Just wanted to add some more info in case it helps the devs...

    We were hit by this today. As others have stated, we are getting .ezz files instead of .ecc. Changing the file extension does not seem to help in our case (Decrypter sees them and claims 'success', but the files are still corrupt/encrypted).

    I have the key.dat and an example of an encrypted file if that will help.

    ReplyDelete
  88. hi friends, with ezz files not work.

    any solution?

    thks for all.

    ReplyDelete
  89. Really hopeful for an update to handle ezz files.

    ReplyDelete
  90. Hi,
    I've tried but it doesn't work for me, with key.dat.
    On offset 0x177 of key.dat there is something written.
    May be I got a variant with different offsets ?
    Size of key.dat is 752B.

    Thanks
    A.

    ReplyDelete
  91. My key.dat exists but only contains the bitcoin address. Has anyone had any luck using data carving software to find the original version of the file? I also see that there is a registry key at HKCU\Software\Windows\CurrentVersion\SET\data. This contains the same recovery key as recovery_key.txt but may have contained the master key at some point. Any luck carving for deleted or modified registry keys? A little bit of a stretch but I'm desperate :)

    ReplyDelete
  92. The variant we have been hit with ends with .ezz. In addition you can't launch a command prompt or task manager. I tried running the tool anyway and it does decrypt the file but the file contents are garbled and unreadable.

    ReplyDelete
  93. Please, any solution for ezz files? all my work are lose

    ReplyDelete
  94. It seem like by using RakhniDecrytor and change those files to ecc, we can decrypt most of the files. I have done it.

    ReplyDelete
  95. You may or you should try RakhniDecrytor if you are urgently required to use those encrypted file. You are advised to back up a copy of the file before trying. I have done it anyway due to urgency.

    ReplyDelete
  96. thks sylvester, but rakhnidecryptor ignore this files, we are rename to ecc too

    ReplyDelete
  97. I used your wonderful tool for TeslaDecrypter AlphaCrypt. I could not return to the original state of the file even if it seems to be unsuccessful. This is a log created by TeslaDecrypter:

    Talos TeslaCrypt Decryptor 0.1
    Execution time: 05.05.2015 - 11:30
    11:30:50 - Successfully imported the master key "F01A6699E94EB73C8DB66F3473A3F13239C77F0EAADC25C7D1DA63971818B67D" from "C: \ Users \ Alexander \ AppData \ Roaming \ key.dat" file.
    11:30:50 - SearchForTeslaCryptProcess - No active TeslaCrypt process found in this system!
    11:29:57 - DecryptDirectory - Processing "C: \" directory (Recursive: True, Strip file extensions: True) ...

    I can catch up with the master key?

    ReplyDelete
  98. TeslaDecrypter works perfectly, change the ext.ezz by .ecc and find the file key.dat, thank you.

    ReplyDelete
  99. moicao , you can open correctly that files???

    ReplyDelete
  100. Well I am one of those with stripped master key. I found nothing.
    I digged through deleted files but almost none exist on that drive, and I tried looking past Eof of key.dat but nothing seems to remain there. I am surprised that there are no trails od deleted files, at least as found by various undelete tools.
    Do anyone know whether I should try looking deeper e.g. by gHex or something else like old DiskEdit, or is it just a dead way and it is gone, overwritten in place by malware design?

    ReplyDelete
  101. that files are corrupts or unreadables

    ReplyDelete
  102. thks for this work!!! we wait for ezz patch!!! not word for this files!! thks a lots

    ReplyDelete
  103. on a Windows 7, the tool detects the key.dat, it starts to decrypt the files, the .ecc disappeared but i still cannot open the file. what could happen?
    many thanks!

    ReplyDelete
  104. Hi:

    When i use tesladecryptor with flag /key: it produces an error unhandled so windows show me debug or close.

    I have a key extracted from network trafic and i want to test it.

    ReplyDelete
  105. nobody response here, it isnt ideal site to make questions

    ReplyDelete
  106. Craig, Can you acknowledge that the alphacrypt release will be at minimum looked at in hopes to generate a similar tool or modify the teslacrypt to convert the .ezz files generated by that variant?

    ReplyDelete
  107. hi Dear, i have the same problem with *.EZZ

    i changed ezz by ecc, but now the file is corrupted.

    Can you help me please.

    Thanks

    ReplyDelete
  108. I have 2 key.dat files. This probably happened because there are two personal application data files on my PC. The first file was created a few hours after encryption on Thursday April 23rd. It contains the master key. The second was created five days later, but is missing the master key. ( I have 2 recovery text files which match the creation times of both key.dat files.) I ran the decrypter which choose the second key.dat ( without the master key.) Then I found the other key.dat file after doing a simple search for "key.dat". I then ran the decrypter with the first created key.dat key file which returned a success. However, the newly created pics with no ecc extensions have no preview and the new word/excel files created are illegible. Would it be possible to put the master key into the second key.dat file which probably has the correct shifted SHA 256? I have read this site's info a 100 times. I am no techie...just an accountant! Can someone please advise?

    ReplyDelete
  109. You might have alphacrypt. Do your files end in .ecc or .ezz?

    ReplyDelete
  110. Anyone knows if a new version of the TeslaDecrypt which can decrypt the new .ezz files, are on the way?

    ReplyDelete
  111. Can I add to the list waiting for an update that decypts .ezz files. Thanks in advance!

    ReplyDelete
  112. Someone knows how to decrypt files .ezz ?
    thanks a lot

    ReplyDelete
  113. Great, thanks for the suggestion of alphacrypt, I hadn't heard of that one yet. My files end in .ecc

    Any suggestions for decrypting if it is alphacrypt?

    ReplyDelete
  114. Sorry people,

    but I think thats all what can decryptor do if you missing the master key you can only erase all files...It seems the
    Talos group not working on that problem anymore?

    ReplyDelete
  115. Talos Team: have .ecc extensions; have 2 key.dat files(dat file 1 produced after encryption has master key) (dat file 2 produced 5 days with no master key); difference in dat files: bitcoin address change, all characters following bitcoin address changed, empty space where masterfile was, but the very last group of characters 7(maybe 8 characters) have similarities. The first 2 characters are different and the remaining characters are the same. Ran your decryption with dat file 1. Success. Result - JPEGS no preview. Used JPEG repair tools. JPEGS corrupted. Could the difference in the last 7 characters cause the corruption of JPEGS? Can a new dat file be created to correctly decrypt files? Any suggestions from anyone? Thanks...Jean

    ReplyDelete
  116. Talos Team: in reference to comment above May 6/2015 at 11:30am: the JPEGS produced from your decrypter are the exact same byte size as the original unencrypted jpeg file (retrieved from an email). Is this decrypted file truly corrupted? Or is something missing from the master key in dat file 1 that is in dat file 2 which is necessary for your decrypter to produce the image? one JPEG recovery tool returned invalid file...another tool returned severely corrupted file(copies of all original encrypted files are backed up...just don't know how to create a new dat file if this is the issue.) Please let me know. Thanks....Jean

    ReplyDelete
  117. Good evening! I don't have the key, but I have a picture saved on an external ahrd disk and the same one that has been encrypted on my laptop's hard disk, is it possible to obtain the key having these? Thank you!

    ReplyDelete
  118. As information, we had a situation where Business important files where encrypted, but we had no backup of them.
    We had to go through with the payment to get the decryption key.
    This works! We payed 2.2Bitcoins (528$) and after 1hour we got the key and a tool to decrypt.
    So, if backup is not an option, and paying is the last way out, this works.

    ReplyDelete
  119. If you have the decrypting software then you really need to contact the Talos team and get it to them so that they can reverse engineer it. If you don't then my guess is you want people to pay the ransom...

    ReplyDelete
  120. I do not think so.

    ReplyDelete
  121. KR: I got the decryption software. If i know how to contact the Talos team to give it to them, I would do this.
    The decryption requires a decryption key, a verification key and the decrypt software. I would sent it all to them, if I knew how to.

    ReplyDelete
  122. Their twitter account... https://twitter.com/talossecurity

    ReplyDelete
  123. KR: I'll try to contact them, and see if they are interessted in the decryption software.

    ReplyDelete
  124. HI,

    I try to decrypt a files/folder.
    Tool success but file result appears as : name.file.docx_decrypted.ezz
    I try to rename as original format , still not open.
    Wrong something in procedure ?

    Thanks
    Matteo

    ReplyDelete
  125. Stefan

    you are at the same point as others. Your master key was deleted and you couldn't do anything. there is no solutions yet. You can only pay 500USD or format PC or find the master key somewhere or Anyone will find the new solution ??

    ReplyDelete
  126. I would be grateful if you would send it to me as well, I'm an info security student and I'd like to try my luck at reverse engineering it.
    pitoboxed@gmail.com

    ReplyDelete
  127. ssetal@naver.com please TT

    ReplyDelete
  128. I would love the decryption tool as well. If someone has the ability to put in on a site must be easiest.

    ReplyDelete
  129. Hi Michael, can you provide me the decryption tool? My address: checkhm01@gmail.com.

    Thanks in advance.

    ReplyDelete
  130. If someone has an online upload tool or something, I could sent the decryption software there.
    It cannot be sent through Email, as every Anti virus software detects the decrypt.exe as a virus.

    ReplyDelete
  131. Try to use :
    http://www.filedropper.com

    rename .exe file.
    Thanks

    ReplyDelete
  132. hello, i try your decrypt tool but .
    "The key.dat file doesn't include the master key, very possible TeslaCrypt has allready deleted it. Please use a newer version of the tool". Can you help me?

    ReplyDelete
  133. Hi,

    We’ve made the source code available via Github. It is available here: https://github.com/vrtadmin/TeslaDecrypt

    ReplyDelete
  134. I would urge everyone not to run executable files from untrusted sources. This is one of the main ways malware propagates.

    ReplyDelete
  135. Hi Craig, followed all the intructions provided in thi blog but still no luck. The files im trying to restore is in .EZZ ext, they say the tool only works with .ECC? do you have an update for .EZZ. thanks in advance.

    ReplyDelete
  136. Hi everyone.
    Here is a link to download the Decryption software (it's zipped)
    *removed*

    ReplyDelete
  137. hi Lasse,

    does it work with .ezz ?
    Or can you explain me how to ?
    Thanks

    ReplyDelete
  138. email talos-external [at] cisco [dot] com

    ReplyDelete
    Replies
    1. This is by far the worst Malware / Ransomware that I've experienced, and as you lot have stated, it doesn't work with EZZ files. I wish it did, as I have a customer who's lost all her documents / photos and I'm desperate to get them back for her! Fingers crossed the tool can be revised for EZZ files, and the people responsible for creating this malware are identified and brought to justice.

      Delete
    2. What do you think about this video with a possible solution for the .ezz files? https://www.youtube.com/watch?v=5tbm2cCcGN4

      Delete
    3. How to decrypt exx files?

      Delete
    4. Is there a version that works on Windows7 64bit? I am getting an error. I have found the python version, but I have never messed with python.

      Delete
    5. Phil that line is a comment. I'm not sure how you would be getting that error.

      See - https://github.com/vrtadmin/TeslaDecrypt/blob/master/Python/TeslaDecrypt.py#L4

      Running for example : python TeslaDecrypt.py --fic abc.py.ecc --decrypt --key 04684d9d06102effe5cadd3b218d61e37a4c693b995a6cb76db2978a2dbfd2e2

      should produce output like "Wrote decrypted file abc.py.ecc.dec" where aby.py.ecc.dec
      is the decrypted file

      Delete
    6. Hello :) Is there a way to get my data back, i need the pictures of my daughter. please help me. i try but it doesn't work with the new version of that type of malware. the files have a .exx extension.

      Delete
    7. If I am unable to locate the pc and program that encrypted the files if I do pay how am I to decypt the files? Does anyone know?

      Delete
    8. real.ghostie@gmail.com BIG THANKS! if it works, i can spend some BTC

      Delete
    9. is there a way to recover exx extension files? please help. all my pictures are in .exx now and my backup is broken too

      Delete
    10. Hi
      I paid 2.2 bitcoins and have received the decryption software from the w*nkers who put the ransom ware on my PC. It has worked and I now have all of my files back. Frustrating as this is, I am delighted as there were 35GB of photos of my kids since they were born.
      I have now backed up all of my data to an external HDD and am about to backup to an online storage as well.
      One question - I have run McAfee Stinger, McAfee full version, Malware Bytes all of which now show my PC as clean. Do I need to wipe my hard drive and reload Windows and all of my software or am I safe now that the ransomware virus has been deleted?
      Thanks

      Delete
    11. Hi. It would be better to reinstall your Windows and install all your needfull Software after that. You can't trust, that your System is safe, because they can left such tools for catch passwords and so on. Can u send me a download link for the decryption software please? i can pay the half of your btc if it works. thank you

      Delete
    12. real.ghostie@gmail.com

      Delete
    13. Please help to decrypt .exx files, the tool doesn't work for them

      Delete
    14. I too have had some experience of this today.

      Local company rang me up to take a look at the machine and it had encrypted all the files with the extension .exx not only that it wiped out the shadow copies on the drive.

      As mentioned earlier looks like this variant uses a storage.bin file in appdata as the key file and not key.dat, so I have a key file but running the tesladecrypter allows the key to be picked up but I have to rename the files from .exx to .ecc for it to attempt to decrypt the files.

      All it does is delete the file and reports in the log that the file is not encrypted or not a TeslaCrypt encrypted file.

      MSS found ransom:win32/Tescrypt.A and has quarantined now just need to find a way to decrypt these files if possible.

      Delete
    15. it does not work for files .ezz
      have you another soluction

      Delete
    16. Alex - without the decryption key and verification key, which is unique for each user, the decryption software is useless. Sorry to be the bearer of bad news but at least if you pay them then you can get you data back.

      Delete
    17. So I was infected by a ransomware on my android phone. I got it off and ran security apps that were suggested by other big blogs. The only problem that I have is that all of my pictures and music are still encrypted. How do I decrypt them on my phone? any suggestions would be great, you can email me at michaelconner1790@yahoo.com

      Delete
    18. Has anyone been able to decrypt the ECC with key.dat files that does not include the master key?
      Can I find in this case the master key in the file storage.bin ?. How should I proceed?
      Thank you very much.

      Delete
    19. Dear Cisco members,
      Is there any change a decryption tool for .ezz will become available soon?
      Thank you very much,
      Sam

      Delete
    20. Hi Katrin - I try to do exact that on a encrypted Windows XP machine. I can run the decryptor and get an "success" - message for the chosen encrypted files, unfortenetely nothing happens, I still can't open the files. Do you experience the same behaviour?

      Delete
    21. My key.dat file has a 128 char human readable block that looks like a key, but the decrypter says it can't find the master. Is there some way to find the 64 char sequence that is the master key?

      Delete
    22. I grabbed rakhni decrypter but it only allowed me to select a single file and after 30 minutes, I gave up without success.

      I would be really appreciative if you could elaborate!

      Delete
    23. I was able to recover a recovery-key.txt file with third party software and they decrypter says it was successful, but all the files are now encoded incorrectly and they are just symbols. Is there something else I can do?

      Delete
    24. Has anyone been able to decrypt the ECC with key.dat files that does not include the master key? Can I find in this case the master key in the file storage.bin ?. How should I proceed? Thank you very much.

      Delete
    25. If you are still trying to decrypt AlphaCrypt .ezz files try the tool posted here, it worked for me.

      http://www.bleepingcomputer.com/forums/t/574900/teslacrypt-ransomware-changes-its-name-to-alpha-crypt/page-4

      Delete
    26. It worked perfectly.I recovered all my work ...
      You are gods for me ...

      Delete
  139. Lasse, your file about Decyption on Filedropper is infected! Is a joke?

    ReplyDelete
  140. I would urge everyone not to run executable files from untrusted sources. This is one of the main ways malware propagates.

    ReplyDelete
  141. Hi Craig,
    I don't undestand if is available the .EZZ decrypter.
    Thank

    ReplyDelete
  142. I agree 100%. This is not a decrypter.

    ReplyDelete
  143. It's not a valid decrypter, it's the software that is provided to you when you pay the ransom. By no means should you run the exe in hopes to clean your files. It is most certainly unsafe. If you read all of the comments you would see that it was requested by several people. The idea being, in the right hands, it might provide some insight to creating a safe and proper decrypter.

    ReplyDelete
  144. Does the tool work with the recovery_key.txt file yet? I do not have the key.dat file??

    ReplyDelete
  145. I get a " the NTVDM CPU has encountered an illegal instruction " when running tesladecrypter.exe from Github on:

    Win XP Pro
    Win Vista 32 bit

    On Vista 64 the OS complains about it being incompatable

    ReplyDelete
  146. My Company has recently been hit by a deviant of Teslacrypt, the extensions end in .exx, and the Master key was stored in "%Appdata%\Local\storage.bin" I renamed it to Key.dat and was able to pull the key from it using Talos, but it failed to decrypt.

    ReplyDelete
  147. Using TeslaDecrypter*

    ReplyDelete
  148. Looks like they have changed file extensions again. There is a new variant which creates *.exx files

    ReplyDelete
  149. Further errors from Github version: using teslacrypt.py on Vista 32 bit

    Line 4 "invalid syntax error"

    ReplyDelete
  150. Same as others have noted. My files renamed with .exx extension and no key.dat but storage.bin file along with log.
    Any help would be appreciated and thank you for your work already with ecc and ezz files.

    ReplyDelete
  151. dear 'need advice'

    how long until you got your key? And how did you get it. I have paid but 24 hours on no key. Unless i'm doing something wrong?

    ReplyDelete
    Replies
    1. sam here, got .exx files, found storage.bin and rename it to key.dat, it made log file and it wrote key inside, files that i rename to .ecc he just deleted..... that is it

      Delete
    2. Has anyone else had trouble running this on a Windows 7 64bit machine? I have tried the Python versions but get errors in the code.

      Delete
    3. for your information RakhniDecryptor of Kaspersky allowed me drecrypter 16591/16664 files that were encrypted by AlphCrypt in *.ezz

      Delete
    4. I had issues with running ALL the versions until I downloaded the files "Raw"

      Delete
    5. @Ricoboss: may you please elaborate how did you decrypt ecc files with that RakhniDecryptor of Kaspersky ?
      Thanks a million

      Delete
  152. Hello cisco team! Is it possible to decrypt .exx files with tha master key from storage.bin? Please help me and other who have the same problem. Thank you so much !

    ReplyDelete
  153. @Michael: Yes, I'm experience the same behaviour. Before running TeslaDecrypter I have rename the .exx extension to .ecc, but they are still encrypted. I can't pay this criminals, because by doing so I'm only convincing them that they are in the right line of business. And the second reason is, that I don't trust that i get something back for the Bitcoins. @all stop paying these people

    ReplyDelete
  154. I have the same problem, my file endings are .exx.
    Is it possible to store my encrypted files on a extern harddisc and wait until it can be decrypted or i need some files like key.dat (i couldnt find it). Or are they lost after i cleaned up my windows?

    ReplyDelete
  155. @Alex In your case (.exx files) you have to save the store.bin, because there is no key.dat.

    ReplyDelete
  156. Hello Craig Williams! Some News for us how to decrypt .exx files? Please tell me and the other poor people that are infected. Thank you!

    ReplyDelete
  157. Same problem aswell, I just got a computer of my client and it is infected with .exx... I tried to run with Cisco Talo Tesladecrypt with the key.dat (rename from storage.bin from \%USERNAME%\Appdata\Local\Storage.bin) and i got succes. But the files are still encrypted.

    ReplyDelete
  158. Thank you for your reply Katrin. Where I can find the file store.bin in Win 7?

    ReplyDelete
  159. So, does no one else get this error running the .exe in Windows? Please someone tell this idiot what he's doing incorrectly

    ReplyDelete
  160. tengo archivos encriptados en .exx, cuando abrí el archivo storage.bin, solo tiene la dirección donde depositar los bitcoins. y no me permite desencriptar.

    ReplyDelete
  161. Turns out I didn't have the full script -

    So where are we getting the key from? I have key.dat in the decrypt directory - what else am I missing - I can run the script using the example key in your post - but of course the resulting file is not decrypted - If I don't specify the key, the script runs but without any output

    Note: I'm only doing this with the .py version because I cannot run the .exe as I mentioned before

    ReplyDelete
  162. So I gather that your group has given up on recovering the Master Key from a stripped Key.dat?

    ReplyDelete
  163. @Brian: indeed! that Decryptor tried 1 billion pwd in 2 hours then gave up, moreover seems to ignore completely the exit.hhr.oshit.
    I ran the process several times, with or without exit.hhr.oshit , key.dat in %APPDATA%, %TEMP%, %windir%, c:\ and even its folder, but the time, the log and the result is always identical. NO success; I believe that Ricoboss did not experience his decryption with Alphacrypt, but (lucky for him) with a different ransomware.

    ReplyDelete
  164. My encrypted files have .exx extension. Tesladecrypter does his work, find the key in storage.bin (renamed to key.dat) and examine my HDs reporting a Success end.

    But the files are encrypted! what should I do? rename all files to *.ecc and decrypt again?

    ReplyDelete
  165. New variant has been discovered.


    http://www.bleepingcomputer.com/forums/t/575875/new-teslacrypt-version-released-that-uses-the-exx-extension/

    ReplyDelete
  166. Can can't find the key.dat file. Encrypted files on NAS, but have looked locally too. Can I pay you to help me?

    ReplyDelete
  167. Is Cisco currently working on a fix for the EXX variant?

    ReplyDelete

Post a Comment